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METHOD AND SYSTEM FOR DETECTING VIRUSES ON 
HANDHELD COMPUTERS 

BACKGROUND OF THE INVENTION 

The present invention relates generally to a virus detection system and 
method, and more particularly, to a system and method for detecting viruses 
on handheld computers. 

A huge surge in computer viruses has occurred in the last decade. 
Computer viruses have gone from an academic curiosity to a persistent, 
worldwide problem. Today, viruses affect vast numbers of computers in 
locations throughout the world. A computer virus is generally a manmade 
destructive computer program or code that is loaded onto a computer system 
without the knowledge of the user. The computer virus is often a self- 
replicating program containing code that explicitly copies itself and can infect 
other programs by modifying them or their environment. Even a simple virus 
can be dangerous as the virus can quickly use a large portion of the available 
memory and possibly bring down the computer system. 

Viruses can be written for, and spread on, virtually any computing 
platform. A virus can infect, or become resident in almost any software 
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component, including an application, operating system, system boot code, or 
device driver. Computer viruses spread by attaching themselves to other 
programs (e.g., word processing or spreadsheet applications) or to a boot 
sector of a disk. When an infected file is activated or executed, or when the 
computer is started from an infected disk, the virus is also executed and 
attempts to infect other files. Since a virus is software code, it can be 
transmitted along with any legitimate software that enters the computer 
environment. Some viruses are capable of transmitting themselves across 
networks and bypassing security systems. For example, a virus can spread to 
files on a local area network (LAN) based file server, and from there to other 
client systems attached to the server. Similarly, systems that run programs 
from wide area network (WAN) file servers can become infected if the 
programs on the server are susceptible to infection. In the networked world of 
the Internet, viruses can rapidly spread. 

The term virus generally refers to any destructible or harmful program 
or code that attempts to hide its possibly malicious function or tries to spread 
onto as many computers as possible. One common type of virus is a macro 
virus which is encoded as a macro embedded in a document. Many 
applications support macro languages which allow the user to embed a macro 
in a document and have the macro execute each time the document is opened. 
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Once a computer system is infected with a macro virus, the virus can embed 
itself in all future documents created with the associated application. 

Another common virus is a boot sector virus which replaces the 
computer system's master boot record with its own code. The boot sector 
virus is a small program executed each time a computer boots. The virus 
infects floppy disks and hard disks by inserting itself into the boot sector of the 
disk, which contains code that is executed during the system boot process. 
Since the master boot record executes every time the computer is started, the 
boot sector virus can be very dangerous to the integrity of the computer 
system. The boot sector virus typically enters the computer system through a 
floppy disk installed in the floppy drive when the computer system is started. 

Another type of virus, which is often difficult to detect, is a 
polymorphic virus. This virus produces varied but operational copies of itself. 
Code within the virus includes an encryption routine to help the virus hide 
from detection, plus a decryption routine to restore the virus to its original 
state when it executes. 

A Trojan horse is another type of virus which masquerades as a 
legitimate software program. The Trojan horse generally does not replicate. It 
waits until its trigger event occurs and then displays a message or destroys 
files or disks. 
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A computer worm is another type of virus that can replicate itself and 
use memory but cannot attach itself to other programs. The computer worm is 
a self-contained program, or set of programs, that is able to spread functional 
copies of itself or its segments to other computer systems, usually via network 
connections. Host computer worms are entirely contained in the computer 
they run on and use network connections only to copy themselves to other 
computers. Network worms consist of multiple parts (called "segments"), 
each running on different machines and using the network for several 
communication purposes. 

Many antivirus programs have become commercially available for 
protection against viruses. There are three main types of antivirus software: 
activity monitors, scanners, and integrity checkers. Activity monitoring 
programs attempt to prevent infection before it happens by looking for virus 
type activity, such as attempts to reformat a disk. Scanners are the most 
widely used type of antivirus program. Virus scanners generally operate in 
batch mode, scanning all files on a system, hard disk, or floppy disk, when 
requested by the user, or at set intervals. They look for known viruses by 
searching disks and files for scan strings or patterns. A scanner may be 
designed to examine specified disks or files on demand, or it may be resident, 
examining each program that is about to be executed. Most scanning 
programs include an update feature that allows the antivirus program to 



WO 01/73523 



PCT/US01/07624 



download profiles of new viruses from the Internet so that the program can 
check for new viruses soon after they are discovered. Most scanners also 
include virus removers which are operable to clean infected files. One 
example of an antivirus scanner is McAfee's VSHIELD. 

The third type of antivirus software, integrity checkers, compute a 
small checksum or hash value for files which are presumably uninfected, and 
later compare newly calculated values with the original ones to see if the files 
have been modified. These programs catch unknown viruses as well as known 
ones. As with scanners, integrity checkers may be called to check entire disks 
or they may be resident, checking each program that is about to be executed. 

Most of the antivirus software available today, such as conventional 
device resident antivirus scanners, require a large amount of memory. For 
example, typical scanner software requires approximately 16 MB RAM. 
While this memory is typically insignificant on personal computers (e.g., 
desktop or laptop computers) handheld computers often include no more than 
2MB dynamic memory and storage and are not equipped to handle such large 
memory requirements. Furthermore, handheld computers are generally too 
slow to provide reasonable virus scanning performance. 

Moreover, many handheld computers are not equipped to provide 
network access, and those that can connect with a network, utilize a 
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connection that is either too slow or expensive to be practical for the sizable 
transfer of data, such as updates to handheld computer applications. 

Handheld computers include devices such as personal digital assistants 
(PDAs) and smart phones which are generally small enough to be held in the 
hand of a user. These devices typically include applications such as an 
address book, daily organizer, and electronic notepad. Examples of handheld 
computers include 3Com's PALM PILOT, Handspring's VISOR, Casio's 
CASSIOPEIA, Compaq's AERO, Hewlett Packard's JORNADA, NEC's 
MOBILEPRO, Novaltel's CONTACT WIRELESS, Sharp's MODILON, 
Vadem's CLIO, Apple's NEWTON, Research in Motion's BLACKBERRY, 
Psion's REVO, NETBOOK, and WORKABOUT, NeoPoint's 1000, and 
Qualcomm's PDQ. Handheld computers are widely operated in an 
environment where software and data records are shared between users. For 
example, software may be transferred between two handheld computers or 
downloaded from a personal computer system to a handheld computer. 
Handheld computers may also receive e-mail messages and other data from 
another handheld computer via an infrared port or from a personal computer 
through a modem, serial line connection, or network. In this shared 
environment, computer viruses can spread among handheld computers as 
rapidly as they do with personal computer systems. 
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There is, therefore, a need for a system and method for detecting 
viruses on handheld computers. There is also a need for an efficient method 
for updating applications on the handheld computer. 

SUMMARY OF THE INVENTION 

A method and system for detecting viruses on a handheld computer in 
communication with a computer system having a virus detection program are 
disclosed. Several inventive embodiments of the present invention are 
described below. 

In one aspect of the invention, a method includes reading data from the 
handheld computer and storing the data at least temporarily on the computer 
system. The data is scanned for viruses with the virus detection program. The 
method further includes updating data on the handheld computer based on 
results of the scanning. 

The method may also include cleaning the data of viruses identified 
during the scanning. The cleaned data may then be written to the handheld 
computer during the updating of data on the handheld computer. Infected data 
may also be deleted from the handheld computer, quarantined on the computer 
system, or ignored. 

In another aspect of the invention, a method includes creating a 

communication link between the handheld computer and the computer system. 

Data is copied from the handheld computer to the computer system and 
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scanned for viruses with the virus detection program while the handheld 
computer is in communication with the computer system. 

The communication link may be a serial line, dial-up line, network, or 
a wireless connection. The serial line may be connected to the computer 
system at one end and a cradle configured for connection with the handheld 
computer at the other end. The communication link may be initiated by 
starting a synchronization operation between the handheld computer and the 
computer system. 

A system of the present invention generally includes a file transfer 
manager operable to receive data from a handheld computer and at least 
temporarily store the data on the computer system. A virus detection program 
is located on the computer system and operable to scan the data for viruses. 
The system further includes an antivirus controller operable to update data on 
the handheld computer to remove viruses identified by the virus detection 
program. 

In yet another aspect of the invention, a computer product generally 
includes computer code that reads data from the handheld computer and writes 
the data at least temporarily to a database on the computer system. The 
computer product also includes computer code that scans the data for viruses 
and updates data on the handheld computer to remove viruses identified 
during scanning. A computer readable medium stores the computer codes. 
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The computer product may also include code that cleans infected data and 
code that selects data to read from the handheld computer. 

Another method of the present invention is for updating software on a 
handheld computer in communication with a client computer operable to 
connect to a network. The method generally includes identifying software 
installed on the handheld computer with the client computer and transmitting 
information on the software from the client computer to a server connected to 
the network. Updated versions of the software are transferred from the server 
to the client computer. The method further includes updating the software 
installed on the handheld computer with the updated versions transferred to 
the client computer. 

The above is a brief description of some deficiencies in the prior art 
and advantages of the present invention. Other features, advantages, and 
embodiments of the invention will be apparent to those skilled in the art from 
the following description, drawings, and claims. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a schematic of a handheld computer and a personal computer 
equipped with a cradle for synchronizing with the handheld computer. 

Fig. 2 is a schematic illustrating an example of a computer system that 
can be utilized to execute software of an embodiment of the invention. 
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Fig. 3 is a system block diagram of the computer system of Fig. 2. 

Fig. 4 is a block diagram illustrating a file transfer program on the 
handheld computer communicating with an antivirus scanner and a PIM 
application on the personal computer. 

Fig. 5 is a dialog box displayed on a screen of the personal computer to 
provide options for virus scanning of files on the handheld computer. 

Fig. 6 is a dialog box displayed on the personal computer screen while 
files resident on the handheld computer are copied and scanned on the 
personal computer. 

Fig. 7 is a dialog box indicating that a virus has been found in one of 
the files copied from the handheld computer and requesting user direction as 
to what to do with the infected file. 

Fig. 8 is a flowchart illustrating a process for performing virus 
scanning and synchronization operations on the handheld computer. 

Fig. 9 is a flowchart illustrating a process for conducting a virus scan 
on files resident on the handheld computer. 

Fig. 10 is a block diagram illustrating an update program on the 
personal computer communicating with a server and a file transfer program on 
the handheld computer. 
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Fig. 1 1 is a flowchart illustrating a process for updating software on a 
handheld computer. 

Corresponding reference characters indicate corresponding parts 
throughout the several views of the drawings. 

DETAILED DESCRIPTION OF THE INVENTION 

The following description is presented to enable one of ordinary skill 
in the art to make and use the invention. Descriptions of specific 
embodiments and applications are provided only as examples and various 
modifications will be readily apparent to those skilled in the art. The general 
principles described herein may be applied to other embodiments and 
applications without departing from the scope of the invention. Thus, the 
present invention is not to be limited to the embodiments shown, but is to be 
accorded the widest scope consistent with the principles and features described 
herein. For purpose of clarity, details relating to technical material that is 
known in the technical fields related to the invention have not been described 
in detail. 

Referring now to the drawings, and first to Fig. 1 , a handheld computer 

20 and a personal computer 22 equipped with a cradle 24 for communication 

with the handheld computer are shown. The cradle 24 is attached to a serial 

port 26 of the personal computer 22 and is used to provide a communication 

link 28 (e.g., serial data line, USB connection, parallel (printer port) 
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connection, Fire Wire connection, PCMCIA connection, or any other type of 
data communication line) between the handheld computer 20 and the personal 
computer 22. The serial communication line 28 extends from the serial port 
26 and terminates at a serial connector 29 on the cradle 24. A matching serial 
connector (not shown) on the handheld computer 20 connects the handheld 
computer to the personal computer 22. The communication link may also be a 
communication path over a network or a wireless communication link, as 
further described below. 

The handheld computer 20 typically does not include sufficient 
memory to allow for efficient virus scanning of files directly on the handheld 
computer. The present invention provides a system and method for scanning 
handheld computer files (including, for example, applications and data 
records) with an antivirus scanner located on the personal computer 22, which 
is in communication with the handheld computer. 

The handheld computer 20 is generally a mobile computing device that 
is sufficiently compact such that it can be held in a users hands and easily 
carried by the user. Examples of handheld computers include the following 
personal digital assistants (PDAs): 3Com's PALM PILOT, Handspring's 
VISOR, Casio's CASSIOPEIA, Compaq's AERO, Hewlett Packard's 
JORNADA, NEC's MOBILEPRO, Novaltel's CONTACT WIRELESS, 
Sharp's MODILON, Vadem's CLIO, Apple's NEWTON, Research in 
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Motion's BLACKBERRY, Franklin's REX, Symbol's SPT and PPT, and 
Psion's REVO, NETBOOK, and WORKABOUT. Handheld computers also 
include "smart" phones such as those manufactured by Nokia, Erikson, 
NeoPoint, and Qualcomm. The term handheld computer, as used herein, 
generally includes any compact computing device operable to transfer 
executable code between itself and another computer. The term handheld 
computer also includes devices which may be connected to a larger device, 
such as Clarion's AUTO PC, which is a personal assistant that can be placed 
in the dash board of an automobile. Many of these handheld computers 
operate on a PalmOS platform, or use a Windows CE or EPOC operating 
system. It is to be understood that the devices and operating systems listed 
above are merely provided as examples and that the invention is not limited to 
use with these devices and systems. 

Fig. 1 shows an exemplary handheld computer available from 3COM 
of Santa Clara, California, under the product name PALM V. Most of the 
surface area of the handheld computer 20 consists of a screen display area 30 
which is used to display information to the user. The screen display area 30 is 
covered with a touch sensitive digitizer pad that can detect user interaction 
with a stylus or a finger. Below the display area 30 is a user input area 32 
which is used to input text in a writing area 34 and interact with application 
buttons 36. Below the user input area 32 are mechanical scrolling button 38 
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and application buttons 40. A mechanical power button 42 is provided to turn 
the handheld computer 20 on and off. The application buttons 40 are used to 
execute applications such as an address book, calendar, To-Do list, or memo 
pad. It is to be understood that the handheld computer 20 may be different 
than shown and described herein without departing from the scope of the 
invention. For example, the handheld computer may include a miniaturized 
keyboard and display screen such as included in the Hewlett Packard 
JORNADA 680. 

The personal computer (computer system) 22 may be a stand-alone 
desktop computer, laptop computer, or a mainframe computer, for example. 
The personal computer 22 may be configured for use as a server or other 
networked computer. Fig. 2 illustrates an example of a computer system 22 
that can communicate with the handheld computer 20 and be used to execute 
software of an embodiment of the invention. The computer system 22 
includes a display 52, screen 54, cabinet 56, keyboard 58, and mouse 60, 
which may include one or more buttons for interacting with a GUI (Graphical 
User Interface). Cabinet 56 houses a CD-ROM drive 62, system memory 72 
and fixed storage 74 (see Fig. 3) which can be utilized to store and retrieve 
software programs incorporating computer code that implements aspects of 
the invention, data for use with the invention, and the like. Although CD- 
ROM 64 and floppy disk 68 are shown as exemplary computer readable 
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storage media, other computer readable storage media including tape, flash 
memory, system memory, and hard drive can be utilized. Additionally, a data 
signal embodied in a carrier wave (e.g., in a network including the Internet) 
can be the computer readable storage medium. 

Fig. 3 shows a system block diagram of computer system 22 used to 
execute software of an embodiment of the invention. Computer system 22 
further includes subsystems such as a central processor 70, system memory 
72, fixed storage 74 (e.g., hard drive), removable storage 76 (e.g., CD-ROM 
drive), display adapter 78, sound card 80, transducers 82 (e.g., speakers, 
microphones, and the like), network interface 84, and printer/fax/scanner 
interface 86. Other computer systems suitable for use with the invention may 
include additional or fewer subsystems. For example, computer system 22 
may include more than one processor 70 (i.e., a multi-processor system) or a 
cache memory. 

The system bus architecture of computer system 22 is represented by 
arrows 90 in Fig. 3. However, these arrows are only illustrative of one 
possible interconnection scheme serving to link the subsystems. For example, 
a local bus could be utilized to connect the central processor 70 to the system 
memory 72 and display adapter 78. Computer system 22 shown in Figs. 2 and 
3 is but an example of a computer system suitable for use with the invention. 
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Other computer architectures having different configurations or subsystems 
may also be utilized. 

The computer system 22 may be a client computer coupled to an 
Internet service provider over a SLIP (Serial Line Interface Protocol) or PPP 
(Point to Point Protocol) connection. The Internet service provider is, in turn, 
coupled to the Internet, the client computer thereby having the ability to send 
and receive information to other nodes on the Internet using a TCP/IP protocol 
(Transmission Control Protocol/Internet Protocol). Servers capable of sending 
and receiving information over the Internet are also connected to the Internet. 
The servers may comprise a World Wide Web site having a variety of 
software updates for handheld computer programs or applications, as further 
described below with respect to Fig. 10. The server may be associated with a 
particular software manufacturer, which stores and maintains versions of 
specific handheld computer applications, or the server may comprise a variety 
of different applications and update information. The client computer 22 may 
also be connected to the server through a LAN, WAN, or any other type of 
network. 

The handheld computer 20 generally includes a suite of personal 
information management (PIM) applications such as an address book, daily 
organizer, To-Do list, and memo pad (Fig. 1). Most people that use a 
handheld computer 20 also use a personal computer 22 with similar PIM 
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applications. The handheld computer 20 allows a user to have at his fingertips 
the information contained within PIM applications (e.g., Microsoft Outlook, 
Palm Desktop) resident on the personal computer 22. In order to keep the 
information on the handheld computer 20 up to date with information on the 
personal computer 22 and to prevent having to enter the same information on 
both computers, information is synchronized between the handheld computer 
and the personal computer. 

Synchronization is a process of merging two databases, one on the 
handheld computer 20 and one on the personal computer 22. In order to 
synchronize information between the handheld computer 20 and the personal 
computer 22, the handheld computer is placed in the cradle 24 and a 
synchronization button 94 is pressed (Fig. 1). Actuation of the 
synchronization button 94 causes a synchronization program on the handheld 
computer 20 to execute which in turn starts a corresponding synchronization 
program on the personal computer 22. The synchronization operation may 
also begin automatically when the handheld computer 20 is placed in the 
cradle 24. The handheld computer 20 preferably has a name assigned to it the 
first time it is synchronized with the personal computer 22. This allows a 
second handheld computer 20 to be synchronized with the same personal 
computer 22. The handheld computer 20 may also be synchronized with a 
second personal computer 22 since users often have a personal computer at 
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work and a different personal computer at home. As described below, virus 
scanning of files on the handheld computer 20 may be performed in 
conjunction with the synchronization operation. The cradle 24 may also 
include a scanning button, similar to the synchronization button 94, so that 
scanning can be performed independent from the synchronization process. 

The handheld computer 20 may include a modem so that the handheld 
computer can be synchronized and its files scanned for viruses remotely from 
the personal computer 22. The modem may be attached to a phone line or use 
a wireless connection. In order to synchronize and scan files on the handheld 
computer 20 remotely, software on the handheld computer dials a modem 
coupled to the personal computer 22. Once the call has been answered, 
software on the handheld computer 20 sends a synchronization request to the 
computer 22. The handheld computer 20 may then be synchronized with the 
personal computer 22 and scanned for viruses over the remote connection. 
The handheld computer 20 may also be synchronized and scanned for viruses 
over a network. If the user has access to a personal computer that is coupled 
to his own personal computer 22 through a network, the user can use the 
network as a communication medium. Virus scanning and synchronization 
can be performed by dialing in to a network or by using the cradle 24 
connected to any computer on the same LAN or WAN as the user's personal 
computer 22. 
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Fig. 4 illustrates a file transfer program 98 on the handheld computer 
20 communicating with an antivirus scanner 100 and PIM application 102 on 
the personal computer 22. The handheld computer 20 and personal computer 
22 are in communication with one another through a communication link 120. 
As previously described, the communication link 120 may be a serial line, 
dial-up line, network, or wireless connection. The antivirus scanner 100 scans 
files downloaded into an antivirus database 104 and the PIM application 102 
receives and sends data to PIM database 106. Data is typically stored on the 
handheld computer 20 in memory chunks called records, which are grouped 
into databases 108. The database 108 is analogous to a file except that data is 
broken down into multiple records instead of being stored in one contiguous 
chunk. Each database 108 includes a database header and record information. 
A data manager keeps track of records using a record ID that is assigned by 
the operating system. Each data record may include a flag which identifies if 
the record is new, modified, or deleted. The handheld computer 20 and the 
personal computer 22 maintain a set of status flags for each of their 
corresponding data records. After each synchronization, all the data record 
status flags are cleared since the two systems have identical databases after the 
synchronization. 

The personal computer 22 includes a file transfer program manager 
110 which communicates with the file transfer program 98 within the 

19 



WO 01/73523 



PCT/USO 1/07624 



handheld computer 20. On a personal computer using the PALM operating 
system, the file transfer manager is called a HOTSYNC manager. The 
manager 110 manages the synchronization and virus scanning process and 
calls on conduits to perform the actual data manipulation. Antivirus conduit 
114 interfaces with the database 1 04 and antivirus scanner 1 00 to control the 
antivirus scanning. PIM conduit 116 controls synchronization with the PIM 
application 102. The conduits 114, 1 16 are dynamic link libraries (DLLs) that 
are called during a virus scan and synchronization operation, respectively. 
The conduits 114, 1 16 are responsible for reading and writing both the 
personal computer databases 104, 106 and the handheld computer databases 
108 and for performing any data transformations or file value mappings 
required to accurately move data between the two systems. 

The antivirus conduit 114 may include a priority setting so that a user 
can specify whether the antivirus scanning should run first or last. The 
priority may be set in a priority entry in a window registry, for example. The 
priority entry determines the order in which the conduits 114, 116 will be 
loaded. If the user typically copies files from the handheld computer 20 to the 
personal computer 22, it is preferred to run the antivirus conduit 114 first, so 
that a virus can be caught before it is transferred to the personal computer 22 
in executable form. If the user typically copies files from the personal 
computer 22 to the handheld device 20, the antivirus conduit 1 14 is preferably 
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run last, to ensure that the handheld computer is in a clean state following the 
synchronization operation. The priority may be set by a user each time the 
antivirus scan is performed or a default priority may be set. The user may also 
may also elect to run the antivirus conduit 114 alone, without running the PIM 
conduit, or any other conduits. 

In addition to setting the sequence of operations, a user may also select 
which applications or data records are scanned. For example, the user may 
elect to scan: all databases 108 of the handheld computer 20 or only those of a 
specific type; all records in a resource database, or only those of certain 
resource types; or files in ROM in addition to the files in RAM. Fig. 5 
illustrates an example of a dialog box 134 displayed on the display screen 54 
of the personal computer 22 to provide scanning options to the user. Also 
presented to the user is a list of actions to take when a virus is found. The user 
may request the program to prompt the user for action or always perform a 
specified action when a virus is found. The handheld computer 20 may also 
include software which displays scanning options on the handheld computer 
so that the user may configure the scanning operation from the handheld 
computer rather than the personal computer 22. The preferred scanning 
information entered by the user on the handheld computer 20 can be 
transferred to the personal computer during the synchronization or scanning 
operation. 
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Once the file transfer manager 110 starts the processing of conduits 
114, 116, the manager provides a callback routine which is used by the 
conduits to report the progress of their activities so that the progress of the 
virus scanning or synchronization can be displayed on the personal computer's 
display screen 54 (Figs. 4, 6, and 7). As shown in Fig. 6, a dialog box 130 
may specify which records are currently being scanned. The status dialog box 
130 is preferably continuously updated with the name of the remote file being 
scanned, status data, and the current record number. The dialog box 130 
further includes a cancel button 133. If the cancel button 133 is selected at 
anytime during the scanning process, the antivirus conduit 114 writes any 
unsaved changes back to the handheld computer 20, exits, and allows any 
remaining conduits to run. The dialog box 130 may also include a "More 
Information" button, which will query the virus information library (VIL) 
database and show the results in a browser window. If a virus is found, a 
dialog box 132, such as shown in Fig. 7, may be displayed. The box 132 
includes a list of actions (e.g., clean, delete, ignore, quarantine) a user can 
request the antivirus program to perform on the infected file. 

The antivirus program may be an application such as McAfee's 
V SHIELD, ACTIVESHIELD, SCAN NOW or VIRUS SCAN program, or 
antivirus applications described in U.S. Patent Number 6,029,256, issued 
February 22, 2000 or U.S. Patent Application Serial Number, 09/001,61 1, 
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filed December 31, 1997, which are incorporated herein by reference, or any 
other suitable antivirus program. The antivirus program preferably contains 
an update agent which is resident in the background of the personal computer 
system 22 and polls for updates at a set interval. For example, the program 
may poll a server daily to check for new virus signature files or new scan 
engine libraries. Update component versions may be posted on an application 
server provider (ASP) page located on the Internet, which reports back 
whether there are newer versions of any of the listed components. This data 
may be displayed in a browser window which the user can log in to and 
download updated components. The handheld computer 20 may also receive 
an e-mail message informing the user that it is time to check the handheld 
computer for viruses or that new viruses have been discovered. The antivirus 
program may be installed on the personal computer by a disk or CD-ROM, or 
downloaded directly from the Internet, for example. 

The antivirus program resident on the personal computer 22 may 
perform other functions during the scanning process. For example, the 
program may display advertisements or upgrade offers based on which 
applications a user has installed on his handheld computer 20 or personal 
computer 22. The antivirus program may also be configured to automatically 
scan files on the personal computer 22 for viruses before copying these files to 
the handheld computer 20 during a synchronization operation. 
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It is to be understood that the antivirus scanning of the handheld 
computer may be performed on an operating system different than the one 
described herein and the components of the file transfer programs, 
arrangement of program components, or antivirus scanner may be different 
than described herein, without departing from the scope of the invention. 

Fig. 8 is a flowchart illustrating a process for performing 
synchronization and virus scanning operations on the handheld computer 20. 
The handheld computer 20 is first put into communication with the personal 
computer 22 to create a communication link between the handheld computer 
and the personal computer at step 150 (Figs. 1 and 8). As previously 
described, this may involve placing the handheld computer into the cradle 24 
attached to the personal computer 22 or a different computer in 
communication with the personal computer over a network, using a modem to 
create a connection between the handheld computer and personal computer, or 
creating a wireless connection between the handheld computer and personal 
computer, for example. The user starts the synchronization/scanning 
operation at step 152 by pushing the synchronization button 94 or selecting a 
synchronization menu option on the handheld computer. The file transfer 
manager 110 monitors communication link 120 between the handheld 
computer 20 and personal computer 22 and receives an interrupt which is 
generated by the file transfer program 98 upon initiation of a synchronization 
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or scanning operation (Figs. 4 and 8). The handheld computer 20 then sends 
wake-up packets at set intervals (e.g., every two seconds) to the personal 
computer 22 until the file transfer manager 1 1 0 on the personal computer 
acknowledges the handheld computer's wake-up call, or a time out occurs. 

Once the wake-up call is acknowledged, the file transfer manager 110 
looks to see if there is a priority setting for the conduits 114, 116 (step 154). If 
the PIM conduit 116 has a higher priority than the antivirus conduit 1 14, the 
synchronization operation will be performed first (step 156). During 
synchronization, the PIM conduit 1 16 compares each handheld computer 
record against the corresponding personal computer record and decides how to 
proceed with the information. The records may be updated, copied, or deleted 
in one or both of the databases 106, 108. After synchronization is complete, 
the antivirus conduit will run the antivirus scan (step 158). If the priority of 
the antivirus conduit 1 14 is higher than that of the PIM conduit 116, the 
antivirus scan will be performed first, as shown in steps 162 and 164. After 
both conduits 114, 116 have run, the synchronization/scanning operation will 
be complete (step 168). It is to be understood that the scanning operation may 
also be run alone without the synchronization operation, without departing 
from the scope of the invention. For example, a user may select an option to 
turn off the PIM conduit 116 and only run only the antivirus conduit 114, 
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The virus scanning process is illustrated in further detail in the 
flowchart of Fig. 9. At step 180 the antivirus scan is started and the antivirus 
conduit 114 opens up database 104 located on the personal computer 22 and 
databases 108 on the handheld computer 20 (step 181) (Figs. 4 and 9). The 
file transfer manager 110 creates a list of databases 108 that reside on the 
handheld computer 20. The conduit 1 14 then creates empty files on the 
personal computer 22 to copy data contained within the databases 108. The 
conduit 1 14 reads the records from the handheld database 108 and writes the 
records into database 104 one by one (steps 182, 184, 186, and 187). The data 
is copied from the handheld computer 20 to the temporary, non-executable 
files created on the personal computer 22. Each record from the handheld 
computer 20 is read and written to a separate file within database 104 on the 
personal computer 22. It is to be understood that the data may be stored in the 
personal computer memory without writing it to a disk. Thus, the database 
104 may be temporary storage in the personal computer memory. 

After data is read and written to a file, the antivirus scanner 100 scans 
the file (step 1 88). Scanning is performed in a second thread different from a 
first thread used to read and write the data, so that the first thread can 
immediately start another read operation (steps 184, 186, and 182). If an 
infected file is found, dialog box 132 (Fig. 7) is displayed to ask the user 
whether he wants to delete, clean, or quarantine the file, or ignore the virus 
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(step 192). If the user elects to clean the file, the temporary file on the 
personal computer 22 is cleaned, the cleaned data is written back to the 
handheld computer 20, and the original data record is deleted from the 
handheld computer (steps 194, 196, 198 and 202). If the user elects to delete 
the file, the file is simply deleted from the handheld computer (step 200 and 
202). The user may also elect to quarantine the file, in which case the file is 
moved to a quarantine location within the personal computer 22 and the file is 
deleted from the handheld computer 20 (steps 201, 203, and 202). 
Alternatively, the scanner can first determine whether the target of the virus is 
the personal computer 22 or the handheld computer 20 and quarantine the 
virus on whichever device the virus will not execute on. If the virus can 
execute on both platforms, or neither, the virus is quarantined on the personal 
computer side. If the user chooses to ignore the virus, the scanner will ignore 
the infected file and continue to scan the remaining files, if there are files left 
to scan (steps 204 and 188). After all files have been scanned, the antivirus 
conduit 114 deletes the temporary copy of the files on the personal computer 
22 and closes the handheld computer databases 108 (step 205). Control is then 
returned to the file transfer program manager 1 10 so that the manager can call 
another conduit or end the synchronization/scanning operation (step 206). 

It is to be understood that the virus scanning may be performed 
independent from the synchronization, without departing from the scope of the 
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invention. For example, the handheld computer 20 may include an application 
that transfers data directly between the handheld computer and the antivirus 
scanner resident on the personal computer 22. 

In addition to scanning files on the handheld computer 20 for viruses, 
when the handheld computer is in communication with the personal computer 
22, software (e.g., applications, programs) resident on the handheld computer 
20 may be updated. The software may include applications such as address, 
date book, expense, mail, memo pad, PALM OS, to do list, or games, for 
example. The file transfer manager 1 10 is used to collect data from the 
handheld computer 20 to identify what software is installed on the handheld 
computer 20 and version of the software. As shown in Fig. 10, the file transfer 
manager 1 10 is in communication with an update conduit 220. The update 
conduit 220 is a dynamic link library that is used by an update program 224 to 
gather software information from the handheld computer 20. A database 222 
may be connected to the update conduit 220 and update program 224 to 
provide a temporary storage area for the list of software and version identifiers 
downloaded from the handheld computer 20. The update program 224 is 
coupled to a server 226 for receiving software updates. The software updates 
may a new updated version of a program or only a few lines of software code, 
for example. As described above, the client computer 22 may be connected to 
the server 226 by way of an Internet service provider coupled to the Internet, 
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and the server may comprise a World Wide Web site maintaining updated 
versions of applications. 

Updated software may be obtained from the server 226 while the 
handheld computer 20 is in communication with the client computer 22, or the 
updates may be obtained from the server after the handheld computer is 
disconnected from the client computer and transferred to the handheld 
computer the next time it is in communication with the client computer. 

Fig. 1 1 is a flowchart illustrating a process for updating software 
installed on the handheld computer 20. At step 250, the handheld computer 20 
is placed in communication with the client computer 22 (Figs. 10 and 11). 
The communication link 120 may be initiated by placing the handheld 
computer 20 into cradle 24 (Fig. 1) or by any other suitable process, including 
those described above. The software update may be performed during 
synchronization of data between the handheld computer 20 and client 
computer 22, virus scanning of files on the handheld computer, or as a stand 
alone operation. The update conduit 220 first instructs the file transfer 
manager 1 10 to collect software information from the handheld computer 20 
(step 252). The update conduit 220 creates a list of applications installed on 
the handheld computer 20 and version information for each application in 
database 222 (step 254). A menu box is then displayed to the user to 
determine which applications the user wants to update and whether he wants 
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to update the applications now or at a later time (step 256). If the user chooses 
to perform the update at a later time, the update program 224 will store 
application and version information from the handheld computer 20 and close 
the communication link 120 (step 258). If required, other conduits may be run 
before the link 120 is closed. If the updates are to be performed immediately, 
the communication link 120 will remain open while the updates are retrieved 
from the server 226. 

After the update program 224 receives the software information from 
the handheld computer 20, it either automatically initiates a connection with 
the Internet or requests the user to connect with the Internet (if the client 
computer 22 is not already connected). The client computer 22 is connected to 
the Internet via a TCP/IP connection and an Internet interface program such as 
a Web browser is activated (step 260). The update program 224 transmits a 
sequence of information packets to the server 226 identifying which software 
versions it would like updated (step 262). The server 226 responds by 
downloading software updates to the client computer 22. If no versions newer 
than those already installed on the handheld computer 20 are available, the 
server 226 sends a message stating this to the client computer 22. The update 
program 224 may have to contact a plurality of servers 226 to obtain updates 
for different handheld computer applications. The update program 224 
preferably includes a list of Web sites (URLs) to contact for receiving updated 
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versions of handheld computer software. This list may be updated as new 
applications become available. Alternatively, the update program 224 may 
contact one Web site which includes links to other sites containing update 
information. An exemplary process for downloading files from the server 226 
to the client computer 22 is described in U.S. Patent Application Serial No. 
09/001,61 1, referenced above. 

The update program 224 transmits the software updates to the 
handheld computer 20 if the handheld computer is still connected to the client 
computer 22 (steps 268 and 270). If the handheld computer 20 is not 
connected to the client computer 22, the client computer stores the software 
updates in database 222 until the next time it is connected to the handheld 
computer (step 272). A dialog box may be displayed on the client computer 
22 to report to the user which handheld applications have been updated (step 
274). A dialog box may also be displayed to the user after information is 
transferred from the server 226, to identify the applications for which updates 
were found, along with the new version numbers, and ask the user which 
applications he wants updated on his handheld computer 20. After updates are 
made, the handheld computer 20 is disconnected from the client computer 22 
(step 276). 

The updates may be performed automatically whenever the handheld 
computer 20 is connected to the personal computer 22 for synchronization or 
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virus scanning. For example, when a synchronization or virus scanning 
operation is performed, the software information may be automatically 
transferred from the handheld computer 20 to the personal computer and the 
personal computer can check to see if new updates are available. If updates 
for software installed on the handheld computer 20 are available, a dialog box 
may be displayed on the personal computer telling the user that his software is 
out of date and can be updated by clicking on "UPDATE" in the dialog box. 
The updates may also be performed automatically, without asking the user, so 
that all employee's handheld computers 20 have the latest applications 
installed, for example. 

It will be observed from the foregoing that the handheld computer 
virus detection system and method, and software update system and method 
described herein provide numerous advantages. Importantly, the virus 
detection system and method allow for efficient detection of viruses on a 
handheld computer without sacrificing the limited memory of the handheld 
computer. The virus detection system may also be used to eliminate viruses 
identified during virus scanning of the handheld computer. The software 
update method provides an efficient process for updating software on the 
handheld computer, which may be done in conjunction with synchronization 
of data or virus scanning of files on the handheld computer. 
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Although the present invention has been described in accordance with 
the embodiments shown, one of ordinary skill in the art will readily recognize 
that there could be variations made to the embodiments without departing 
from the scope of the present invention. Accordingly, it is intended that all 
5 matter contained in the above description and shown in the accompanying 

drawings shall be interpreted as illustrative and not in a limiting sense. 
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CLAIMS 

WHAT IS CLAIMED IS : 

1 . A method for detecting viruses on a handheld computer in 
communication with a computer system having a virus detection program, the 
method comprising: 

reading data from the handheld computer; 

storing said data at least temporarily on the computer system; 

scanning said data for viruses with the virus detection program; and 

updating data on the handheld computer based on results of the 
scanning. 

2. The method of claim 1 further comprising cleaning said data of 
viruses identified during the scanning. 

3. The method of claim 2 wherein updating data on the handheld 
computer comprises writing cleaned data to the handheld computer and 
deleting infected data. 

34 



WO 01/73523 



PCT7US01/07624 



4. The method of claim 1 wherein updating data on the handheld 
computer comprises deleting infected data. 

5. The method of claim 1 wherein updating data on the handheld 
5 computer comprises identifying infected data on the handheld computer. 

6. The method of claim 1 wherein reading data comprises reading 
individual data records. 

10 7. The method of claim 1 wherein reading data comprises reading 

program files. 

8. The method of claim 1 further comprising synchronizing data 
between the handheld computer and the computer system. 

15 

9. The method of claim 1 further comprising selecting the type of data 
to read from the handheld computer. 
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10. A method for detecting viruses on a handheld computer, the 
method comprising: 

creating a communication link between the handheld computer and a 
computer system having a virus detection program; 

copying data from the handheld computer to the computer system; and 

scanning the data for viruses with the virus detection program while 
the handheld computer is in communication with the computer system. 

1 1 . The method of claim 10 further comprising removing viruses 
identified in the data. 

12. The method of claim 1 1 wherein removing viruses comprises 
cleaning infected data. 

13. The method of claim 12 further comprising copying cleaned data 
from the computer system to the handheld computer and removing infected 
data from the handheld computer. 
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14. The method of claim 1 1 wherein removing viruses comprises 
deleting infected data from the handheld computer. 

15. The method of claim 1 1 wherein removing viruses comprises 
quarantining infected data. 

16. The method of claim 10 wherein creating a communication link 
comprises connecting a serial line between the personal computer and the 
handheld computer. 

17. The method of claim 16 wherein connecting a serial line 
comprises placing the handheld computer in a cradle connected to the serial 
line. 

18. The method of claim 10 wherein creating a communication link 
comprises remotely accessing the computer system through a modem 
connected to the handheld computer. 
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19. The method of claim 10 wherein creating a communication link 
comprises creating a wireless connection between the handheld computer and 
the computer system. 

20. The method of claim 10 wherein creating a communication link 
comprises creating a communication link via a network. 

21 . The method of claim 10 wherein copying data from the handheld 
computer comprises writing the data to temporary files on the computer 
system. 

22. The method of claim 10 wherein copying data comprises copying 
individual data records from the handheld computer to the computer system. 

23. The method of claim 10 wherein copying data comprises copying 
program files. 
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24. The method of claim 10 further comprising initiating a 
synchronization operation between the handheld computer and the computer 
system. 

25. The method of claim 24 wherein scanning of the data occurs 
during the synchronization operation. 

26. A system for detecting viruses on a handheld computer in 
communication with a computer system, the virus detection system 
comprising: 

a file transfer manager operable to receive data from a handheld 
computer and at least temporarily store said data on the computer system; 

a virus detection program located on the computer system and operable 
to scan said data for viruses; and 

an antivirus controller operable to update data on the handheld 
computer to remove viruses identified by the virus detection program. 

27. The system of claim 26 further comprising a data cleaner operable 
to clean infected data identified by the virus detection program. 
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28. A computer product for detecting viruses on a handheld computer 
in communication with a computer system, comprising: 

computer code that reads data from the handheld computer; 

computer code that stores said data at least temporarily on the 
computer system; 

computer code that scans said data for viruses; 

computer code that updates data on the handheld computer to remove 
viruses identified during scanning; and 

a computer readable medium that stores said computer codes. 

29. The computer product of claim 28 wherein the computer readable 
medium is selected from the group consisting of CD-ROM, floppy disk, tape, 
flash memory, system memory, hard drive, and a data signal embodied in a 
carrier wave. 

30. The computer product of claim 28 further comprising code that 
cleans infected data. 
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3 1 . The computer product of claim 28 further comprising code that 
selects data to read from the handheld computer. 

32. A method for updating software on a handheld computer in 
communication with a client computer system operable to connect to a 
network, the method comprising: 

identifying software installed on the handheld computer with the client 
computer and transmitting information on the identified software from the 
client computer to a server connected to the network; 

transferring updated versions of the software installed on the handheld 
computer from the server to the client computer; and 

updating the software installed on the handheld computer with the 
updated versions transferred to the client computer. 

33. The method of claim 32 further comprising initiating 
communication between the handheld computer and the client computer. 

34. The method of claim 33 wherein initiating communication 
comprises connecting a serial line between the handheld computer and the 
client computer. 
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35. The method of claim 34 wherein connecting a serial line 
comprises placing the handheld computer in a cradle connected to the serial 
line. 

36. The method of claim 32 wherein the network is the Internet. 

37. The method of claim 32 wherein the network is a local area 
network. 

38. The method of claim 32 further comprising notifying a user of the 
handheld computer that the installed software has been updated. 

39. The method of claim 32 further comprising synchronizing data 
between the handheld computer and the client computer. 

40. The method of claim 32 further comprising scanning data on the 
handheld computer for viruses. 
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41. A computer product for updating software on a handheld computer 
in communication with a client computer operable to connect to a network, the 
product comprising: 

computer code that reads data from the handheld computer to identify 
software installed on the handheld computer; 

computer code that transmits information on the identified software 
from the client computer to a server connected to the network; 

computer code that transfers updated versions of the software installed 
on the handheld computer from the server to the client computer; 

computer code that updates the software installed on the handheld 
computer with the updated versions transferred to the client computer; and 

a computer readable medium that stores said computer codes. 
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